feat: Add Issue Moderator Flows

[aceppaluni]

Description:

This PR adds support for issue triaging.

Initially, contributors would submit issues and then the issue would be picked up but without proper labels. This goes unnoticed by the bots and will not count towards the required number of completed issue pre-requisites.

These flows ensure issues are properly labeled and noticed by our current bot counters. They also ensure incoming issues meet the goals of the SDK.

Related issue(s):

Fixes #2305

Notes for reviewer:

Testing conducted using Hiero-Website repository: aceppaluni/hiero-website#9
"approved" label has been added

Checklist

• Documented (Code comments, README, etc.)
• Tested (unit, integration, etc.)

[coderabbitai]

Walkthrough

This PR adds two GitHub Actions workflows to implement an issue moderation system. New issues are automatically locked with a pending-review label, and when maintainers apply an approved label, a complementary workflow unlocks the issue and removes the pending-review label, allowing contributor engagement.

Changes

Issue Moderation Workflows

Layer / File(s)	Summary
New Issue Moderation Workflow .github/workflows/moderate-new-issues.yml	Triggered on newly opened issues, the workflow sets issues: write permissions, adds a pending-review label, posts a comment referencing triage/committers/maintainers, and locks the issue via gh api with lock_reason: off-topic to prevent interaction during triage.
Approved Issue Handling Workflow .github/workflows/approved-issues.yml	Triggered when the approved label is applied, the workflow removes the pending-review label, unlocks the issue via gh api, and creates or updates an approval comment to notify the triage and committer teams.

Estimated Code Review Effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'feat: Add Issue Moderator Flows' clearly summarizes the main change: adding GitHub Actions workflows for issue moderation and triaging.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of the workflows (issue triaging), problem being solved, and testing approach.
Linked Issues check	✅ Passed	The PR implements both required workflows from issue #2305: a 'moderate-new-issues' workflow that locks new issues with pending-review label, and an 'approved-issues' workflow that unlocks issues when approved label is added.
Out of Scope Changes check	✅ Passed	Both workflow files are directly scoped to the objectives in issue #2305. No extraneous changes are present beyond the two required workflows.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📋 Issue Planner

Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).

View plan for ticket: #2305

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 96094c94-f537-445f-a448-516606c93dbb

📥 Commits

Reviewing files that changed from the base of the PR and between 37f4bee and 562ff77.

📒 Files selected for processing (2)

• .github/workflows/approved-issues.yml
• .github/workflows/moderate-new-issues.yml

[coderabbitai]

⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Add concurrency group to prevent race conditions.

Unlike moderate-new-issues.yml, this workflow lacks a concurrency group. If the approved label is added, removed, and re-added quickly (or the workflow is retried), parallel runs could race against each other causing inconsistent issue state.

As per coding guidelines, workflows that mutate state should use concurrency groups.

Proposed fix

 permissions:
   issues: write

+concurrency:
+  group: approve-issues-${{ github.event.issue.number }}
+  cancel-in-progress: false
+
 jobs:
   approve:

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	jobs:
	approve:
	if: github.event.label.name == 'approved'
	name: Approve Issue
	runs-on: ubuntu-latest
	permissions:
	issues: write
	concurrency:
	group: approve-issues-${{ github.event.issue.number }}
	cancel-in-progress: false
	jobs:
	approve:
	if: github.event.label.name == 'approved'
	name: Approve Issue
	runs-on: ubuntu-latest

[coderabbitai]

🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if action-remove-labels requires explicit token by examining action.yml
# and comparing with how action-add-labels is invoked in this repo

echo "=== Checking action-add-labels usage in moderate-new-issues.yml ==="
rg -A5 'action-add-labels' .github/workflows/

echo ""
echo "=== Checking action-remove-labels usage ==="
rg -A5 'action-remove-labels' .github/workflows/

Repository: hiero-ledger/hiero-sdk-python

Length of output: 1090

---

Pass github_token to action-remove-labels for consistency

In .github/workflows/approved-issues.yml, actions-ecosystem/action-remove-labels is used without a github_token, while .github/workflows/moderate-new-issues.yml passes github_token for the related action-add-labels step. Supplying it explicitly would match the repo’s pattern and avoid relying on action defaults.

Proposed change

       - name: Remove pending-review label
         uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
         with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
           labels: pending-review

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Remove pending-review label
	uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
	with:
	labels: pending-review
	- name: Remove pending-review label
	uses: actions-ecosystem/action-remove-labels@2ce5d41b4b6aa8503e285553f75ed56e0a40bae0 # v1.3.0
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	labels: pending-review

🧰 Tools

🪛 zizmor (1.25.2)

[info] 30-30: action functionality is already included by the runner (superfluous-actions): use gh issue edit --remove-label or gh pr edit --remove-label in a script step

(superfluous-actions)

[manishdait]

@aceppaluni, The changes seems good to me, just update the runners to use the self hosted ones hl-sdk-py-lin-md